resident doesn't see virus ..but on-demand catch it

a big pb with Avast and a least 1 virus.

AdobeR.exe witch spread via USB Key

The resident scanner doesn’t see it at all, i can copy, run, move, edit it ( on local HD, or USB … ) with absolutly no reaction.

But when i launch the main Avast program, it catch it in the memory test.

… The resident is active, if i test it with EICAR, it catch the file when a copy or move it, but for the virus … it do nothing.

Which is your Standard Shield sensibility? High, Normal, Customized (how)?

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

What was the malware name, it could be a newly added signature in a VPS update ?

The name for Avast is “Win32:Rjump [Wrm]”

It is not a new virus, it is months old.

The virus is well detected and deleted/quarnatined by on-demand scan ( it is also detected by the memory scan if it is loaded at the time i launch main Avast program . )

but the resident doesn’t see it, same pb at all sensibility, normal / max / custom with all options …

I have send it to virus@avast.com

Other info … French version of Avast Home on XP SP2 ( Pro or Home ) Fr.

Many computer affected by same pb : lots of personal student laptop in my highschool are affected, since this worm propagate via USB key

A while ago, through testing, I realized that the main On-Demand scanner has a stronger malware detection than both the Resident Shield and the Quick Scanner. Also, I realized that the Quick Scanner has stronger malware detection than the Resident Shield. Apparently, even with each at its highest setting, the On-Demand scanner can scan more thoroughly the other two.

The ashQuick.exe is the most aggressive of the scanners, it will scan all files with all unpackers. On-Demand will only scan files depending on your settings (Thorough with Archives being the strongest). Resident, on-access scanners will also scan files depending on settings, but an .exe file should be scanned before execution.

@ Ascadix
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.

Please post the results here.

the file might be running/loading something into memory that is being detected but the AdobeR.exe might not be what is being detected but something it is loading.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RJUMP.D
http://www.bleepingcomputer.com/startups/AdobeR.exe-16732.html

I know this 2 on-line scan, i use both of them since many time, both detect AdobeR.exe with all but 1 or 2 engines.
Avast engine catch it on both pages under “Win32:Rjump” name.

Some AV vendors tech pages said that AdobeR.exe may be dropped by another malware , but what i see is that it as a self-propagation capacity, at least by dropping copy of itself + special autorun.inf on removable drives like USB-key/disk and network mapped drives.

When a “filled” USB key is inserted on a clean system, depending on autorun setting, the worm is “autorun’ed” by windows and the worm then:

  • copy itself to windows folder
  • stay in memory ( simple process, i haven’t seen any rootkit capacity, it can killed with taskmgr )
  • wait for another removable drive to fill

No news ??? :-\

Did you run avast at boot time?
Did you disable System Restore (cleaning the infected restore points) and then enable it again?

Computers are well cleaned, the on-demand scan do is job well.
This is not the pb.

The problem is that the resident simply ignore virus/malware that are known in the V-database, so…:

  • the computer is clean
  • the user plug/connect an infected media …
  • autorun launch the malware
  • Avast resident …do nothing .
  • computer is infected
  • user must manualy launch the main Avast programme to clean.

I have “recommanded” Avast to students in my high-school for many month, how can i tell them now that it is not a serious AV ?

Not a software is perfect. You have the right to claim for better detection.
But call avast not serious is going, in my opinion, too far and being unfair.
Hope Alwil team could give you priority on detection this malware.